1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 /* 33 * IPsec output processing. 34 */ 35 #include "opt_inet.h" 36 #include "opt_inet6.h" 37 #include "opt_ipsec.h" 38 #include "opt_sctp.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/domain.h> 44 #include <sys/protosw.h> 45 #include <sys/socket.h> 46 #include <sys/errno.h> 47 #include <sys/hhook.h> 48 #include <sys/syslog.h> 49 50 #include <net/if.h> 51 #include <net/if_enc.h> 52 #include <net/if_var.h> 53 #include <net/vnet.h> 54 55 #include <netinet/in.h> 56 #include <netinet/in_systm.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip_ecn.h> 61 #ifdef INET6 62 #include <netinet6/ip6_ecn.h> 63 #endif 64 #include <netinet/ip_icmp.h> 65 #include <netinet/tcp_var.h> 66 67 #include <netinet/ip6.h> 68 #ifdef INET6 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/scope6_var.h> 71 #endif 72 #include <netinet/in_pcb.h> 73 #ifdef INET6 74 #include <netinet/icmp6.h> 75 #endif 76 #if defined(SCTP) || defined(SCTP_SUPPORT) 77 #include <netinet/sctp_crc32.h> 78 #endif 79 80 #include <netinet/udp.h> 81 #include <netipsec/ah.h> 82 #include <netipsec/esp.h> 83 #include <netipsec/ipsec.h> 84 #ifdef INET6 85 #include <netipsec/ipsec6.h> 86 #endif 87 #include <netipsec/ah_var.h> 88 #include <netipsec/esp_var.h> 89 #include <netipsec/ipcomp_var.h> 90 91 #include <netipsec/xform.h> 92 93 #include <netipsec/key.h> 94 #include <netipsec/keydb.h> 95 #include <netipsec/key_debug.h> 96 97 #include <machine/in_cksum.h> 98 99 #define IPSEC_OSTAT_INC(proto, name) do { \ 100 if ((proto) == IPPROTO_ESP) \ 101 ESPSTAT_INC(esps_##name); \ 102 else if ((proto) == IPPROTO_AH)\ 103 AHSTAT_INC(ahs_##name); \ 104 else \ 105 IPCOMPSTAT_INC(ipcomps_##name); \ 106 } while (0) 107 108 static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx); 109 static size_t ipsec_get_pmtu(struct secasvar *sav); 110 111 #ifdef INET 112 static struct secasvar * 113 ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) 114 { 115 struct secasindex *saidx, tmpsaidx; 116 struct ipsecrequest *isr; 117 struct sockaddr_in *sin; 118 struct secasvar *sav; 119 struct ip *ip; 120 121 /* 122 * Check system global policy controls. 123 */ 124 next: 125 isr = sp->req[*pidx]; 126 if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || 127 (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || 128 (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 129 DPRINTF(("%s: IPsec outbound packet dropped due" 130 " to policy (check your sysctls)\n", __func__)); 131 IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); 132 *error = EHOSTUNREACH; 133 return (NULL); 134 } 135 /* 136 * Craft SA index to search for proper SA. Note that 137 * we only initialize unspecified SA peers for transport 138 * mode; for tunnel mode they must already be filled in. 139 */ 140 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 141 saidx = &tmpsaidx; 142 *saidx = isr->saidx; 143 ip = mtod(m, struct ip *); 144 if (saidx->src.sa.sa_len == 0) { 145 sin = &saidx->src.sin; 146 sin->sin_len = sizeof(*sin); 147 sin->sin_family = AF_INET; 148 sin->sin_port = IPSEC_PORT_ANY; 149 sin->sin_addr = ip->ip_src; 150 } 151 if (saidx->dst.sa.sa_len == 0) { 152 sin = &saidx->dst.sin; 153 sin->sin_len = sizeof(*sin); 154 sin->sin_family = AF_INET; 155 sin->sin_port = IPSEC_PORT_ANY; 156 sin->sin_addr = ip->ip_dst; 157 } 158 } else 159 saidx = &sp->req[*pidx]->saidx; 160 /* 161 * Lookup SA and validate it. 162 */ 163 sav = key_allocsa_policy(sp, saidx, error); 164 if (sav == NULL) { 165 IPSECSTAT_INC(ips_out_nosa); 166 if (*error != 0) 167 return (NULL); 168 if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { 169 /* 170 * We have no SA and policy that doesn't require 171 * this IPsec transform, thus we can continue w/o 172 * IPsec processing, i.e. return EJUSTRETURN. 173 * But first check if there is some bundled transform. 174 */ 175 if (sp->tcount > ++(*pidx)) 176 goto next; 177 *error = EJUSTRETURN; 178 } 179 return (NULL); 180 } 181 IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform")); 182 return (sav); 183 } 184 185 /* 186 * IPsec output logic for IPv4. 187 */ 188 static int 189 ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp, 190 struct inpcb *inp, u_int idx) 191 { 192 struct ipsec_ctx_data ctx; 193 union sockaddr_union *dst; 194 struct secasvar *sav; 195 struct ip *ip; 196 int error, i, off; 197 198 IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); 199 200 /* 201 * We hold the reference to SP. Content of SP couldn't be changed. 202 * Craft secasindex and do lookup for suitable SA. 203 * Then do encapsulation if needed and call xform's output. 204 * We need to store SP in the xform callback parameters. 205 * In xform callback we will extract SP and it can be used to 206 * determine next transform. At the end of transform we can 207 * release reference to SP. 208 */ 209 sav = ipsec4_allocsa(m, sp, &idx, &error); 210 if (sav == NULL) { 211 if (error == EJUSTRETURN) { /* No IPsec required */ 212 key_freesp(&sp); 213 return (error); 214 } 215 goto bad; 216 } 217 /* 218 * XXXAE: most likely ip_sum at this point is wrong. 219 */ 220 IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE); 221 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 222 goto bad; 223 224 ip = mtod(m, struct ip *); 225 dst = &sav->sah->saidx.dst; 226 /* Do the appropriate encapsulation, if necessary */ 227 if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 228 dst->sa.sa_family != AF_INET || /* PF mismatch */ 229 (dst->sa.sa_family == AF_INET && /* Proxy */ 230 dst->sin.sin_addr.s_addr != INADDR_ANY && 231 dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { 232 /* Fix IPv4 header checksum and length */ 233 ip->ip_len = htons(m->m_pkthdr.len); 234 ip->ip_sum = 0; 235 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 236 error = ipsec_encap(&m, &sav->sah->saidx); 237 if (error != 0) { 238 DPRINTF(("%s: encapsulation for SPI 0x%08x failed " 239 "with error %d\n", __func__, ntohl(sav->spi), 240 error)); 241 /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ 242 goto bad; 243 } 244 inp = NULL; 245 } 246 247 IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); 248 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 249 goto bad; 250 251 /* 252 * Dispatch to the appropriate IPsec transform logic. The 253 * packet will be returned for transmission after crypto 254 * processing, etc. are completed. 255 * 256 * NB: m & sav are ``passed to caller'' who's responsible for 257 * reclaiming their resources. 258 */ 259 switch(dst->sa.sa_family) { 260 case AF_INET: 261 ip = mtod(m, struct ip *); 262 i = ip->ip_hl << 2; 263 off = offsetof(struct ip, ip_p); 264 break; 265 #ifdef INET6 266 case AF_INET6: 267 i = sizeof(struct ip6_hdr); 268 off = offsetof(struct ip6_hdr, ip6_nxt); 269 break; 270 #endif /* INET6 */ 271 default: 272 DPRINTF(("%s: unsupported protocol family %u\n", 273 __func__, dst->sa.sa_family)); 274 error = EPFNOSUPPORT; 275 IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); 276 goto bad; 277 } 278 error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); 279 return (error); 280 bad: 281 IPSECSTAT_INC(ips_out_inval); 282 if (m != NULL) 283 m_freem(m); 284 if (sav != NULL) 285 key_freesav(&sav); 286 key_freesp(&sp); 287 return (error); 288 } 289 290 int 291 ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp, 292 struct inpcb *inp) 293 { 294 295 return (ipsec4_perform_request(m, sp, inp, 0)); 296 } 297 298 int 299 ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding) 300 { 301 struct secasvar *sav; 302 struct ip *ip; 303 size_t hlen, pmtu; 304 uint32_t idx; 305 int error; 306 307 /* Don't check PMTU if the frame won't have DF bit set. */ 308 if (!V_ip4_ipsec_dfbit) 309 return (0); 310 if (V_ip4_ipsec_dfbit == 1) 311 goto setdf; 312 313 /* V_ip4_ipsec_dfbit > 1 - we will copy it from inner header. */ 314 ip = mtod(m, struct ip *); 315 if (!(ip->ip_off & htons(IP_DF))) 316 return (0); 317 318 setdf: 319 idx = sp->tcount - 1; 320 sav = ipsec4_allocsa(m, sp, &idx, &error); 321 if (sav == NULL) { 322 key_freesp(&sp); 323 /* 324 * No matching SA was found and SADB_ACQUIRE message was generated. 325 * Since we have matched a SP to this packet drop it silently. 326 */ 327 if (error == 0) 328 error = EINPROGRESS; 329 if (error != EJUSTRETURN) 330 m_freem(m); 331 332 return (error); 333 } 334 335 pmtu = ipsec_get_pmtu(sav); 336 if (pmtu == 0) { 337 key_freesav(&sav); 338 return (0); 339 } 340 341 hlen = ipsec_hdrsiz_internal(sp); 342 key_freesav(&sav); 343 344 if (m_length(m, NULL) + hlen > pmtu) { 345 /* 346 * If we're forwarding generate ICMP message here, 347 * so that it contains pmtu subtracted by header size. 348 * Set error to EINPROGRESS, in order for the frame 349 * to be dropped silently. 350 */ 351 if (forwarding) { 352 if (pmtu > hlen) 353 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 354 0, pmtu - hlen); 355 else 356 m_freem(m); 357 358 key_freesp(&sp); 359 return (EINPROGRESS); /* Pretend that we consumed it. */ 360 } else { 361 m_freem(m); 362 key_freesp(&sp); 363 return (EMSGSIZE); 364 } 365 } 366 367 return (0); 368 } 369 370 static int 371 ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding) 372 { 373 struct secpolicy *sp; 374 int error; 375 376 /* Lookup for the corresponding outbound security policy */ 377 sp = ipsec4_checkpolicy(m, inp, &error, !forwarding); 378 if (sp == NULL) { 379 if (error == -EINVAL) { 380 /* Discarded by policy. */ 381 m_freem(m); 382 return (EACCES); 383 } 384 return (0); /* No IPsec required. */ 385 } 386 387 /* 388 * Usually we have to have tunnel mode IPsec security policy 389 * when we are forwarding a packet. Otherwise we could not handle 390 * encrypted replies, because they are not destined for us. But 391 * some users are doing source address translation for forwarded 392 * packets, and thus, even if they are forwarded, the replies will 393 * return back to us. 394 */ 395 if (!forwarding) { 396 /* 397 * Do delayed checksums now because we send before 398 * this is done in the normal processing path. 399 */ 400 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 401 m = mb_unmapped_to_ext(m); 402 if (m == NULL) { 403 IPSECSTAT_INC(ips_out_nomem); 404 key_freesp(&sp); 405 return (ENOBUFS); 406 } 407 in_delayed_cksum(m); 408 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 409 } 410 #if defined(SCTP) || defined(SCTP_SUPPORT) 411 if (m->m_pkthdr.csum_flags & CSUM_SCTP) { 412 struct ip *ip; 413 414 ip = mtod(m, struct ip *); 415 sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2)); 416 m->m_pkthdr.csum_flags &= ~CSUM_SCTP; 417 } 418 #endif 419 } 420 /* NB: callee frees mbuf and releases reference to SP */ 421 error = ipsec4_check_pmtu(m, sp, forwarding); 422 if (error != 0) { 423 if (error == EJUSTRETURN) 424 return (0); 425 426 return (error); 427 } 428 429 error = ipsec4_process_packet(m, sp, inp); 430 if (error == EJUSTRETURN) { 431 /* 432 * We had a SP with a level of 'use' and no SA. We 433 * will just continue to process the packet without 434 * IPsec processing and return without error. 435 */ 436 return (0); 437 } 438 if (error == 0) 439 return (EINPROGRESS); /* consumed by IPsec */ 440 return (error); 441 } 442 443 /* 444 * IPSEC_OUTPUT() method implementation for IPv4. 445 * 0 - no IPsec handling needed 446 * other values - mbuf consumed by IPsec. 447 */ 448 int 449 ipsec4_output(struct mbuf *m, struct inpcb *inp) 450 { 451 452 /* 453 * If the packet is resubmitted to ip_output (e.g. after 454 * AH, ESP, etc. processing), there will be a tag to bypass 455 * the lookup and related policy checking. 456 */ 457 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) 458 return (0); 459 460 return (ipsec4_common_output(m, inp, 0)); 461 } 462 463 /* 464 * IPSEC_FORWARD() method implementation for IPv4. 465 * 0 - no IPsec handling needed 466 * other values - mbuf consumed by IPsec. 467 */ 468 int 469 ipsec4_forward(struct mbuf *m) 470 { 471 472 /* 473 * Check if this packet has an active inbound SP and needs to be 474 * dropped instead of forwarded. 475 */ 476 if (ipsec4_in_reject(m, NULL) != 0) { 477 m_freem(m); 478 return (EACCES); 479 } 480 return (ipsec4_common_output(m, NULL, 1)); 481 } 482 #endif 483 484 #ifdef INET6 485 static int 486 in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, 487 const struct in6_addr *ia) 488 { 489 struct in6_addr ia2; 490 491 if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) { 492 memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); 493 ia2.s6_addr16[1] = htons(sa->sin6_scope_id); 494 return (IN6_ARE_ADDR_EQUAL(ia, &ia2)); 495 } 496 return (IN6_ARE_ADDR_EQUAL(&sa->sin6_addr, ia)); 497 } 498 499 static struct secasvar * 500 ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error) 501 { 502 struct secasindex *saidx, tmpsaidx; 503 struct ipsecrequest *isr; 504 struct sockaddr_in6 *sin6; 505 struct secasvar *sav; 506 struct ip6_hdr *ip6; 507 508 /* 509 * Check system global policy controls. 510 */ 511 next: 512 isr = sp->req[*pidx]; 513 if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || 514 (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || 515 (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 516 DPRINTF(("%s: IPsec outbound packet dropped due" 517 " to policy (check your sysctls)\n", __func__)); 518 IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); 519 *error = EHOSTUNREACH; 520 return (NULL); 521 } 522 /* 523 * Craft SA index to search for proper SA. Note that 524 * we only fillin unspecified SA peers for transport 525 * mode; for tunnel mode they must already be filled in. 526 */ 527 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 528 saidx = &tmpsaidx; 529 *saidx = isr->saidx; 530 ip6 = mtod(m, struct ip6_hdr *); 531 if (saidx->src.sin6.sin6_len == 0) { 532 sin6 = (struct sockaddr_in6 *)&saidx->src; 533 sin6->sin6_len = sizeof(*sin6); 534 sin6->sin6_family = AF_INET6; 535 sin6->sin6_port = IPSEC_PORT_ANY; 536 sin6->sin6_addr = ip6->ip6_src; 537 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 538 /* fix scope id for comparing SPD */ 539 sin6->sin6_addr.s6_addr16[1] = 0; 540 sin6->sin6_scope_id = 541 ntohs(ip6->ip6_src.s6_addr16[1]); 542 } 543 } 544 if (saidx->dst.sin6.sin6_len == 0) { 545 sin6 = (struct sockaddr_in6 *)&saidx->dst; 546 sin6->sin6_len = sizeof(*sin6); 547 sin6->sin6_family = AF_INET6; 548 sin6->sin6_port = IPSEC_PORT_ANY; 549 sin6->sin6_addr = ip6->ip6_dst; 550 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 551 /* fix scope id for comparing SPD */ 552 sin6->sin6_addr.s6_addr16[1] = 0; 553 sin6->sin6_scope_id = 554 ntohs(ip6->ip6_dst.s6_addr16[1]); 555 } 556 } 557 } else 558 saidx = &sp->req[*pidx]->saidx; 559 /* 560 * Lookup SA and validate it. 561 */ 562 sav = key_allocsa_policy(sp, saidx, error); 563 if (sav == NULL) { 564 IPSEC6STAT_INC(ips_out_nosa); 565 if (*error != 0) 566 return (NULL); 567 if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { 568 /* 569 * We have no SA and policy that doesn't require 570 * this IPsec transform, thus we can continue w/o 571 * IPsec processing, i.e. return EJUSTRETURN. 572 * But first check if there is some bundled transform. 573 */ 574 if (sp->tcount > ++(*pidx)) 575 goto next; 576 *error = EJUSTRETURN; 577 } 578 return (NULL); 579 } 580 IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform")); 581 return (sav); 582 } 583 584 /* 585 * IPsec output logic for IPv6. 586 */ 587 static int 588 ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp, 589 struct inpcb *inp, u_int idx) 590 { 591 struct ipsec_ctx_data ctx; 592 union sockaddr_union *dst; 593 struct secasvar *sav; 594 struct ip6_hdr *ip6; 595 int error, i, off; 596 597 IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); 598 599 sav = ipsec6_allocsa(m, sp, &idx, &error); 600 if (sav == NULL) { 601 if (error == EJUSTRETURN) { /* No IPsec required */ 602 key_freesp(&sp); 603 return (error); 604 } 605 goto bad; 606 } 607 608 /* Fix IP length in case if it is not set yet. */ 609 ip6 = mtod(m, struct ip6_hdr *); 610 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); 611 612 IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE); 613 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 614 goto bad; 615 616 ip6 = mtod(m, struct ip6_hdr *); /* pfil can change mbuf */ 617 dst = &sav->sah->saidx.dst; 618 619 /* Do the appropriate encapsulation, if necessary */ 620 if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 621 dst->sa.sa_family != AF_INET6 || /* PF mismatch */ 622 ((dst->sa.sa_family == AF_INET6) && 623 (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && 624 (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) { 625 if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { 626 /* No jumbogram support. */ 627 error = ENXIO; /*XXX*/ 628 goto bad; 629 } 630 error = ipsec_encap(&m, &sav->sah->saidx); 631 if (error != 0) { 632 DPRINTF(("%s: encapsulation for SPI 0x%08x failed " 633 "with error %d\n", __func__, ntohl(sav->spi), 634 error)); 635 /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ 636 goto bad; 637 } 638 inp = NULL; 639 } 640 641 IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); 642 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 643 goto bad; 644 645 switch(dst->sa.sa_family) { 646 #ifdef INET 647 case AF_INET: 648 { 649 struct ip *ip; 650 ip = mtod(m, struct ip *); 651 i = ip->ip_hl << 2; 652 off = offsetof(struct ip, ip_p); 653 } 654 break; 655 #endif /* AF_INET */ 656 case AF_INET6: 657 i = sizeof(struct ip6_hdr); 658 off = offsetof(struct ip6_hdr, ip6_nxt); 659 break; 660 default: 661 DPRINTF(("%s: unsupported protocol family %u\n", 662 __func__, dst->sa.sa_family)); 663 error = EPFNOSUPPORT; 664 IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); 665 goto bad; 666 } 667 error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); 668 return (error); 669 bad: 670 IPSEC6STAT_INC(ips_out_inval); 671 if (m != NULL) 672 m_freem(m); 673 if (sav != NULL) 674 key_freesav(&sav); 675 key_freesp(&sp); 676 return (error); 677 } 678 679 int 680 ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp, 681 struct inpcb *inp) 682 { 683 684 return (ipsec6_perform_request(m, sp, inp, 0)); 685 } 686 687 /* 688 * IPv6 implementation is based on IPv4 implementation. 689 */ 690 int 691 ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding) 692 { 693 struct secasvar *sav; 694 size_t hlen, pmtu; 695 uint32_t idx; 696 int error; 697 698 /* 699 * According to RFC8200 L3 fragmentation is supposed to be done only on 700 * locally generated packets. During L3 forwarding packets that are too 701 * big are always supposed to be dropped, with an ICMPv6 packet being 702 * sent back. 703 */ 704 if (!forwarding) 705 return (0); 706 707 idx = sp->tcount - 1; 708 sav = ipsec6_allocsa(m, sp, &idx, &error); 709 if (sav == NULL) { 710 key_freesp(&sp); 711 /* 712 * No matching SA was found and SADB_ACQUIRE message was generated. 713 * Since we have matched a SP to this packet drop it silently. 714 */ 715 if (error == 0) 716 error = EINPROGRESS; 717 if (error != EJUSTRETURN) 718 m_freem(m); 719 720 return (error); 721 } 722 723 pmtu = ipsec_get_pmtu(sav); 724 if (pmtu == 0) { 725 key_freesav(&sav); 726 return (0); 727 } 728 729 hlen = ipsec_hdrsiz_internal(sp); 730 key_freesav(&sav); 731 732 if (m_length(m, NULL) + hlen > pmtu) { 733 /* 734 * If we're forwarding generate ICMPv6 message here, 735 * so that it contains pmtu subtracted by header size. 736 * Set error to EINPROGRESS, in order for the frame 737 * to be dropped silently. 738 */ 739 if (forwarding) { 740 if (pmtu > hlen) 741 icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, pmtu - hlen); 742 else 743 m_freem(m); 744 745 key_freesp(&sp); 746 return (EINPROGRESS); /* Pretend that we consumed it. */ 747 } 748 } 749 750 return (0); 751 } 752 753 static int 754 ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding) 755 { 756 struct secpolicy *sp; 757 int error; 758 759 /* Lookup for the corresponding outbound security policy */ 760 sp = ipsec6_checkpolicy(m, inp, &error, !forwarding); 761 if (sp == NULL) { 762 if (error == -EINVAL) { 763 /* Discarded by policy. */ 764 m_freem(m); 765 return (EACCES); 766 } 767 return (0); /* No IPsec required. */ 768 } 769 770 if (!forwarding) { 771 /* 772 * Do delayed checksums now because we send before 773 * this is done in the normal processing path. 774 */ 775 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { 776 m = mb_unmapped_to_ext(m); 777 if (m == NULL) { 778 IPSEC6STAT_INC(ips_out_nomem); 779 key_freesp(&sp); 780 return (ENOBUFS); 781 } 782 in6_delayed_cksum(m, m->m_pkthdr.len - 783 sizeof(struct ip6_hdr), sizeof(struct ip6_hdr)); 784 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; 785 } 786 #if defined(SCTP) || defined(SCTP_SUPPORT) 787 if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) { 788 sctp_delayed_cksum(m, sizeof(struct ip6_hdr)); 789 m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6; 790 } 791 #endif 792 } 793 794 error = ipsec6_check_pmtu(m, sp, forwarding); 795 if (error != 0) { 796 if (error == EJUSTRETURN) 797 return (0); 798 799 return (error); 800 } 801 802 /* NB: callee frees mbuf and releases reference to SP */ 803 error = ipsec6_process_packet(m, sp, inp); 804 if (error == EJUSTRETURN) { 805 /* 806 * We had a SP with a level of 'use' and no SA. We 807 * will just continue to process the packet without 808 * IPsec processing and return without error. 809 */ 810 return (0); 811 } 812 if (error == 0) 813 return (EINPROGRESS); /* consumed by IPsec */ 814 return (error); 815 } 816 817 /* 818 * IPSEC_OUTPUT() method implementation for IPv6. 819 * 0 - no IPsec handling needed 820 * other values - mbuf consumed by IPsec. 821 */ 822 int 823 ipsec6_output(struct mbuf *m, struct inpcb *inp) 824 { 825 826 /* 827 * If the packet is resubmitted to ip_output (e.g. after 828 * AH, ESP, etc. processing), there will be a tag to bypass 829 * the lookup and related policy checking. 830 */ 831 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) 832 return (0); 833 834 return (ipsec6_common_output(m, inp, 0)); 835 } 836 837 /* 838 * IPSEC_FORWARD() method implementation for IPv6. 839 * 0 - no IPsec handling needed 840 * other values - mbuf consumed by IPsec. 841 */ 842 int 843 ipsec6_forward(struct mbuf *m) 844 { 845 846 /* 847 * Check if this packet has an active inbound SP and needs to be 848 * dropped instead of forwarded. 849 */ 850 if (ipsec6_in_reject(m, NULL) != 0) { 851 m_freem(m); 852 return (EACCES); 853 } 854 return (ipsec6_common_output(m, NULL, 1)); 855 } 856 #endif /* INET6 */ 857 858 int 859 ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, 860 u_int idx) 861 { 862 struct epoch_tracker et; 863 struct xform_history *xh; 864 struct secasindex *saidx; 865 struct m_tag *mtag; 866 int error; 867 868 saidx = &sav->sah->saidx; 869 switch (saidx->dst.sa.sa_family) { 870 #ifdef INET 871 case AF_INET: 872 /* Fix the header length, for AH processing. */ 873 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len); 874 break; 875 #endif /* INET */ 876 #ifdef INET6 877 case AF_INET6: 878 /* Fix the header length, for AH processing. */ 879 if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) { 880 error = ENXIO; 881 goto bad; 882 } 883 if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) { 884 /* No jumbogram support. */ 885 error = ENXIO; /*?*/ 886 goto bad; 887 } 888 mtod(m, struct ip6_hdr *)->ip6_plen = 889 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 890 break; 891 #endif /* INET6 */ 892 default: 893 DPRINTF(("%s: unknown protocol family %u\n", __func__, 894 saidx->dst.sa.sa_family)); 895 error = ENXIO; 896 goto bad; 897 } 898 899 /* 900 * Add a record of what we've done to the packet. 901 */ 902 mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(*xh), M_NOWAIT); 903 if (mtag == NULL) { 904 DPRINTF(("%s: could not get packet tag\n", __func__)); 905 error = ENOMEM; 906 goto bad; 907 } 908 909 xh = (struct xform_history *)(mtag + 1); 910 xh->dst = saidx->dst; 911 xh->proto = saidx->proto; 912 xh->mode = saidx->mode; 913 xh->spi = sav->spi; 914 m_tag_prepend(m, mtag); 915 916 key_sa_recordxfer(sav, m); /* record data transfer */ 917 918 /* 919 * If there's another (bundled) SA to apply, do so. 920 * Note that this puts a burden on the kernel stack size. 921 * If this is a problem we'll need to introduce a queue 922 * to set the packet on so we can unwind the stack before 923 * doing further processing. 924 */ 925 if (++idx < sp->tcount) { 926 switch (saidx->dst.sa.sa_family) { 927 #ifdef INET 928 case AF_INET: 929 key_freesav(&sav); 930 IPSECSTAT_INC(ips_out_bundlesa); 931 return (ipsec4_perform_request(m, sp, NULL, idx)); 932 /* NOTREACHED */ 933 #endif 934 #ifdef INET6 935 case AF_INET6: 936 key_freesav(&sav); 937 IPSEC6STAT_INC(ips_out_bundlesa); 938 return (ipsec6_perform_request(m, sp, NULL, idx)); 939 /* NOTREACHED */ 940 #endif /* INET6 */ 941 default: 942 DPRINTF(("%s: unknown protocol family %u\n", __func__, 943 saidx->dst.sa.sa_family)); 944 error = EPFNOSUPPORT; 945 goto bad; 946 } 947 } 948 949 key_freesp(&sp), sp = NULL; /* Release reference to SP */ 950 #ifdef INET 951 /* 952 * Do UDP encapsulation if SA requires it. 953 */ 954 if (sav->natt != NULL) { 955 error = udp_ipsec_output(m, sav); 956 if (error != 0) 957 goto bad; 958 } 959 #endif /* INET */ 960 /* 961 * We're done with IPsec processing, transmit the packet using the 962 * appropriate network protocol (IP or IPv6). 963 */ 964 NET_EPOCH_ENTER(et); 965 switch (saidx->dst.sa.sa_family) { 966 #ifdef INET 967 case AF_INET: 968 key_freesav(&sav); 969 error = ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL); 970 break; 971 #endif /* INET */ 972 #ifdef INET6 973 case AF_INET6: 974 key_freesav(&sav); 975 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 976 break; 977 #endif /* INET6 */ 978 default: 979 panic("ipsec_process_done"); 980 } 981 NET_EPOCH_EXIT(et); 982 return (error); 983 bad: 984 m_freem(m); 985 key_freesav(&sav); 986 if (sp != NULL) 987 key_freesp(&sp); 988 return (error); 989 } 990 991 /* 992 * ipsec_prepend() is optimized version of M_PREPEND(). 993 * ipsec_encap() is called by IPsec output routine for tunnel mode SA. 994 * It is expected that after IP encapsulation some IPsec transform will 995 * be performed. Each IPsec transform inserts its variable length header 996 * just after outer IP header using m_makespace(). If given mbuf has not 997 * enough free space at the beginning, we allocate new mbuf and reserve 998 * some space at the beginning and at the end. 999 * This helps avoid allocating of new mbuf and data copying in m_makespace(), 1000 * we place outer header in the middle of mbuf's data with reserved leading 1001 * and trailing space: 1002 * [ LEADINGSPACE ][ Outer IP header ][ TRAILINGSPACE ] 1003 * LEADINGSPACE will be used to add ethernet header, TRAILINGSPACE will 1004 * be used to inject AH/ESP/IPCOMP header. 1005 */ 1006 #define IPSEC_TRAILINGSPACE (sizeof(struct udphdr) +/* NAT-T */ \ 1007 max(sizeof(struct newesp) + EALG_MAX_BLOCK_LEN, /* ESP + IV */ \ 1008 sizeof(struct newah) + HASH_MAX_LEN /* AH + ICV */)) 1009 static struct mbuf * 1010 ipsec_prepend(struct mbuf *m, int len, int how) 1011 { 1012 struct mbuf *n; 1013 1014 M_ASSERTPKTHDR(m); 1015 IPSEC_ASSERT(len < MHLEN, ("wrong length")); 1016 if (M_LEADINGSPACE(m) >= len) { 1017 /* No need to allocate new mbuf. */ 1018 m->m_data -= len; 1019 m->m_len += len; 1020 m->m_pkthdr.len += len; 1021 return (m); 1022 } 1023 n = m_gethdr(how, m->m_type); 1024 if (n == NULL) { 1025 m_freem(m); 1026 return (NULL); 1027 } 1028 m_move_pkthdr(n, m); 1029 n->m_next = m; 1030 if (len + IPSEC_TRAILINGSPACE < M_SIZE(n)) 1031 m_align(n, len + IPSEC_TRAILINGSPACE); 1032 n->m_len = len; 1033 n->m_pkthdr.len += len; 1034 return (n); 1035 } 1036 1037 static size_t 1038 ipsec_get_pmtu(struct secasvar *sav) 1039 { 1040 union sockaddr_union *dst; 1041 struct in_conninfo inc; 1042 size_t pmtu; 1043 1044 dst = &sav->sah->saidx.dst; 1045 memset(&inc, 0, sizeof(inc)); 1046 1047 switch (dst->sa.sa_family) { 1048 #ifdef INET 1049 case AF_INET: 1050 inc.inc_faddr = satosin(&dst->sa)->sin_addr; 1051 break; 1052 #endif 1053 #ifdef INET6 1054 case AF_INET6: 1055 inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr; 1056 inc.inc_flags |= INC_ISIPV6; 1057 break; 1058 #endif 1059 default: 1060 return (0); 1061 } 1062 1063 pmtu = tcp_hc_getmtu(&inc); 1064 if (pmtu != 0) 1065 return (pmtu); 1066 1067 /* No entry in hostcache. Assume that PMTU is equal to link's MTU */ 1068 switch (dst->sa.sa_family) { 1069 #ifdef INET 1070 case AF_INET: 1071 pmtu = tcp_maxmtu(&inc, NULL); 1072 break; 1073 #endif 1074 #ifdef INET6 1075 case AF_INET6: 1076 pmtu = tcp_maxmtu6(&inc, NULL); 1077 break; 1078 #endif 1079 default: 1080 return (0); 1081 } 1082 if (pmtu == 0) 1083 return (0); 1084 1085 tcp_hc_updatemtu(&inc, pmtu); 1086 1087 return (pmtu); 1088 } 1089 1090 static int 1091 ipsec_encap(struct mbuf **mp, struct secasindex *saidx) 1092 { 1093 #ifdef INET6 1094 struct ip6_hdr *ip6; 1095 #endif 1096 struct ip *ip; 1097 int setdf; 1098 uint8_t itos, proto; 1099 1100 ip = mtod(*mp, struct ip *); 1101 switch (ip->ip_v) { 1102 #ifdef INET 1103 case IPVERSION: 1104 proto = IPPROTO_IPIP; 1105 /* 1106 * Collect IP_DF state from the inner header 1107 * and honor system-wide control of how to handle it. 1108 */ 1109 switch (V_ip4_ipsec_dfbit) { 1110 case 0: /* clear in outer header */ 1111 case 1: /* set in outer header */ 1112 setdf = V_ip4_ipsec_dfbit; 1113 break; 1114 default:/* propagate to outer header */ 1115 setdf = (ip->ip_off & htons(IP_DF)) != 0; 1116 } 1117 itos = ip->ip_tos; 1118 break; 1119 #endif 1120 #ifdef INET6 1121 case (IPV6_VERSION >> 4): 1122 proto = IPPROTO_IPV6; 1123 ip6 = mtod(*mp, struct ip6_hdr *); 1124 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 1125 setdf = V_ip4_ipsec_dfbit ? 1: 0; 1126 /* scoped address handling */ 1127 in6_clearscope(&ip6->ip6_src); 1128 in6_clearscope(&ip6->ip6_dst); 1129 break; 1130 #endif 1131 default: 1132 return (EAFNOSUPPORT); 1133 } 1134 switch (saidx->dst.sa.sa_family) { 1135 #ifdef INET 1136 case AF_INET: 1137 if (saidx->src.sa.sa_family != AF_INET || 1138 saidx->src.sin.sin_addr.s_addr == INADDR_ANY || 1139 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) 1140 return (EINVAL); 1141 *mp = ipsec_prepend(*mp, sizeof(struct ip), M_NOWAIT); 1142 if (*mp == NULL) 1143 return (ENOBUFS); 1144 ip = mtod(*mp, struct ip *); 1145 ip->ip_v = IPVERSION; 1146 ip->ip_hl = sizeof(struct ip) >> 2; 1147 ip->ip_p = proto; 1148 ip->ip_len = htons((*mp)->m_pkthdr.len); 1149 ip->ip_ttl = V_ip_defttl; 1150 ip->ip_sum = 0; 1151 ip->ip_off = setdf ? htons(IP_DF): 0; 1152 ip->ip_src = saidx->src.sin.sin_addr; 1153 ip->ip_dst = saidx->dst.sin.sin_addr; 1154 ip_ecn_ingress(V_ip4_ipsec_ecn, &ip->ip_tos, &itos); 1155 ip_fillid(ip); 1156 break; 1157 #endif /* INET */ 1158 #ifdef INET6 1159 case AF_INET6: 1160 if (saidx->src.sa.sa_family != AF_INET6 || 1161 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr) || 1162 IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr)) 1163 return (EINVAL); 1164 *mp = ipsec_prepend(*mp, sizeof(struct ip6_hdr), M_NOWAIT); 1165 if (*mp == NULL) 1166 return (ENOBUFS); 1167 ip6 = mtod(*mp, struct ip6_hdr *); 1168 ip6->ip6_flow = 0; 1169 ip6->ip6_vfc = IPV6_VERSION; 1170 ip6->ip6_hlim = V_ip6_defhlim; 1171 ip6->ip6_nxt = proto; 1172 ip6->ip6_dst = saidx->dst.sin6.sin6_addr; 1173 /* For link-local address embed scope zone id */ 1174 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 1175 ip6->ip6_dst.s6_addr16[1] = 1176 htons(saidx->dst.sin6.sin6_scope_id & 0xffff); 1177 ip6->ip6_src = saidx->src.sin6.sin6_addr; 1178 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 1179 ip6->ip6_src.s6_addr16[1] = 1180 htons(saidx->src.sin6.sin6_scope_id & 0xffff); 1181 ip6->ip6_plen = htons((*mp)->m_pkthdr.len - sizeof(*ip6)); 1182 ip_ecn_ingress(V_ip6_ipsec_ecn, &proto, &itos); 1183 ip6->ip6_flow |= htonl((uint32_t)proto << 20); 1184 break; 1185 #endif /* INET6 */ 1186 default: 1187 return (EAFNOSUPPORT); 1188 } 1189 (*mp)->m_flags &= ~(M_BCAST | M_MCAST); 1190 return (0); 1191 } 1192